Projects onedev server Issues #913
#913  Pull request returns git permission error
Closed
Vuong opened 3 weeks ago

When initiating a PR, I get a git error/notice with the following message:

Failed to run command: git rev-list ^333fd 6c3cb -50 -i --, return code: 128 fatal: detected dubious ownership in repository at '/opt/onedev/site/projects/1/git' To add an exception for this directory, call: git config --global --add safe.directory /opt/onedev/site/projects/1/git

It doesn't prevent me from creating the PR though.

How can I remove this error?

Is it just a matter of passing the following command to docker-compose.yml?

Maybe something like:

command: git config --global --add safe.directory /opt/onedev/site/projects/*/git

Or is there something else I have to resolve?

Thanks

=========

Directory permission in container

ls -la /opt/onedev/site/projects/1/git
drwxr-sr-x  7 1000 1000 4096 Aug 15 05:59 .
drwxr-sr-x  7 1000 1000 4096 Sep  5 08:52 ..
drwxr-sr-x  2 1000 1000 4096 Aug 15 05:59 branches
-rw-r-Sr--  1 1000 1000  162 Aug 15 05:59 config
-rw-r-Sr--  1 1000 1000   21 Aug 15 05:59 HEAD
drwxr-sr-x  2 1000 1000 4096 Aug 15 05:59 hooks
drwxr-sr-x  3 1000 1000 4096 Aug 15 05:59 logs
drwxr-sr-x 21 1000 1000 4096 Sep  9 02:02 objects
drwxr-sr-x  4 1000 1000 4096 Aug 15 05:59 refs
Robin Shen commented 3 weeks ago

How are you running OneDev? OneDev should be running as root in the container.

Vuong commented 3 weeks ago

I'm running OneDev from portainer as a stack. I believe it's running as root in the container.

Console

root@18b4139ff392:~#
Robin Shen commented 3 weeks ago

I started onedev from portainer and pull request works fine without any errors. Also my directory listing is as following:

root@26f95dceb4a0:/opt/onedev/site/projects/1/git# ls -l
total 28
drwxr-xr-x 2 root root 4096 Sep  9 13:21 branches
-rw-r--r-- 1 root root  162 Sep  9 13:21 config
-rw-r--r-- 1 root root   21 Sep  9 13:58 HEAD
drwxr-xr-x 2 root root 4096 Sep  9 13:21 hooks
drwxr-xr-x 3 root root 4096 Sep  9 13:21 logs
drwxr-xr-x 8 root root 4096 Sep  9 14:00 objects
drwxr-xr-x 6 root root 4096 Sep  9 14:00 refs

Please let me know exact steps to reproduce the issue.

Vuong commented 3 weeks ago

I think the issue is permissions in the source directory.

My docker-compose.yml:

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/docker/volumes/onedev-data:/opt/onedev

Permissions on my source directory:

user@host:/opt/docker/volumes/onedev-data/site/projects/1$ ls -l
total 20
drwxr-sr-x  3 user01 user01 4096 Aug 15 05:59 attachment
drwxr-sr-x 15 user01 user01 4096 Sep  9 08:37 builds
drwxr-sr-x  7 user01 user01 4096 Sep  9 06:16 git
drwxr-sr-x  2 user01 user01 4096 Sep  9 08:37 index
drwxr-sr-x  4 user01 user01 4096 Aug 15 05:59 info

My etc/group file:

user01:x:1000:
docker:x:122:user01
Robin Shen commented 3 weeks ago

Is OneDev running as root in the container? This is required.

Robin Shen commented 3 weeks ago

Disregard my previous comment. I see you are already running as root.

Robin Shen commented 3 weeks ago

To double check, please login to the container, and run ps -ef to see the actual user OneDev process is running as.

Also please change owner and group of /opt/docker/volumes/onedev-data to be root recursively.

Robin Shen changed state to 'Closed' 2 weeks ago
Previous Value Current Value
Open
Closed
Robin Shen commented 2 weeks ago

Close it now. Feel free to reopen if there is more clue.

Vuong commented 2 weeks ago
root@18b4139ff392:/# ps -ef
UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 Sep10 ?        00:00:00 /bin/bash /root/bin/entrypoint.sh
root          32       1  0 Sep10 ?        02:27:06 java -cp ../boot/* -XX:MaxRAMPercentage=50.0 io.on
root       11203       0  0 Sep14 pts/0    00:00:00 bash
root       27761       0  1 01:41 pts/1    00:00:00 bash
root       27775   27761  0 01:41 pts/1    00:00:00 ps -ef
Vuong changed state to 'Open' 2 weeks ago
Previous Value Current Value
Closed
Open
Vuong commented 2 weeks ago

Sorry for the late respone. Re-opening

Robin Shen commented 2 weeks ago

The process owner is correct. I did some more test, and this situation only happens when OneDev is running in bare metal mode, in which case, repository is cloned with the user running OneDev process, and then handled to container. In this case, if you operate the repository with git in container, it will complain with this message, and it is fine to add it as safe directory in your container.

However you mentioned that OneDev is running with portainer, in which case the OneDev process itself is also running as root, and such issue should never happen. So this confuses me. If you can investigate to provide me a detailed reproducing step, it will be help a lot.

Vuong commented 2 weeks ago

Also please change owner and group of /opt/docker/volumes/onedev-data to be root recursively.

This seems to have fixed the issue.

Vuong commented 1 week ago

If you can investigate to provide me a detailed reproducing step, it will be help a lot.

Portainer stack:

version: "3"

services:
  onedev-app:
    container_name: onedev
    image: 1dev/server:7.5.3
    restart: always
    ports:
      - "6610:6610"
      - "6611:6611"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${ONEDEV_DATA}:/opt/onedev

Where ONEDEV_DATA is: /opt/docker/volumes/onedev-data

It seems ondev doesn't like the fact i've set the permissions of /opt/docker/volumes/onedev-data to be my own user name and user group.

Docker itself doesn't mind because I've added myself to the docker group as per instructions from docker:

https://docs.docker.com/engine/install/linux-postinstall/

Let me know if there's anything else I can provide that might be useful.


Environment

Portainer: 2.15.0
OneDev: 7.5.3
Host OS: Ubuntu 22.04 LTS (Bare metal)
Robin Shen commented 1 week ago

It is fine that /opt/docker/volumes/onedev-data is owned by your own account. When OneDev container starts, it will populate this directory as root so everything under this directory should be owned by root then.

If they are changed to be owned by other accounts outside of OneDev, just change it back to be owned by root and things should be fine.

Vuong commented 1 week ago

it will populate this directory as root so everything under this directory should be owned by root then

From what I can gather, do you mean this happens only once when that directory first gets populated?

If they are changed to be owned by other accounts outside of OneDev, just change it back to be owned by root and things should be fine.

I'm not an expert in this area, but this sounds counter intuitive to me. Is it possible for onedev to operate without having to change the whole directory to root? Asking from a noob perspective tbh.

Robin Shen commented 1 week ago

From what I can gather, do you mean this happens only once when that directory first gets populated?

Every time OneDev upgrades, it will repopulate this directory

I'm not an expert in this area, but this sounds counter intuitive to me. Is it possible for onedev to operate without having to change the whole directory to root? Asking from a noob perspective tbh.

OneDev currently runs as root in the container. This is the reason why the directory is populated as root.

Vuong commented 1 week ago

Every time OneDev upgrades, it will repopulate this directory

I'm dubious about this, at least on how successful it goes about it.
Because in my original issue description you can see the whole git directory is owned by user not root:

ls -la /opt/onedev/site/projects/1/git
drwxr-sr-x  7 1000 1000 4096 Aug 15 05:59 .
drwxr-sr-x  7 1000 1000 4096 Sep  5 08:52 ..
drwxr-sr-x  2 1000 1000 4096 Aug 15 05:59 branches
-rw-r-Sr--  1 1000 1000  162 Aug 15 05:59 config
-rw-r-Sr--  1 1000 1000   21 Aug 15 05:59 HEAD
drwxr-sr-x  2 1000 1000 4096 Aug 15 05:59 hooks
drwxr-sr-x  3 1000 1000 4096 Aug 15 05:59 logs
drwxr-sr-x 21 1000 1000 4096 Sep  9 02:02 objects
drwxr-sr-x  4 1000 1000 4096 Aug 15 05:59 refs

And I've upgraded multiple times over the lifetime of the install. So I assume whatver permissions I had on it, it would have been overwritten when upgraded.

Note that before I ran chown for the whole onedev data dir, I noticed that some files were owned by root and some by me.

Robin Shen commented 1 week ago

My mistake. File copy during upgrade does not change the ownership. I am not sure why its permission is incorrect in the first place. But once you changed back to root, things should be fine now.

Vuong commented 1 week ago

Ok. So in your opinion, this is working as expected. And no change required? If so, please close. Thanks

Robin Shen commented 1 week ago

As long as all contents under /opt/docker/volumes/onedev-data is owned by root, everything will be fine.

Robin Shen changed state to 'Closed' 1 week ago
Previous Value Current Value
Open
Closed
issue 1 of 1
Type
Discussion
Priority
Minor
Assignee
Issue Votes (0)
Watchers (3)
Reference
issue onedev/server#913
Please wait...
Page is in error, reload to recover